This is a private post – and does not really have a lot to do with my job at Microsoft. Well, a little… A friend of mine – actually the EMEA Security PR guy at Microsoft – is an addicted dart player and participates often in dart tournaments. Which has a big advantage for me: When we have a business meeting in London – Richard knows the pubs but this is a completely different story.

A few years back it was the first time Richard got in touch with me: They decided to break the record of continuous dart playing. And they broke it but do not ask me anymore how long it was – just terribly long. They lost the record again and fought it back. Each time they raised money for cancer research.

Now it is time for a new one. In Richard’s own words:

As some of you know, I’m a keen darts player, and also an enthusiastic fund raiser for Cancer Research. Once a year I try to combine these two passions.

This year’s event will be the first ever true darts marathon. In the past there have been many darts marathons measured in time – 24, 48 hours and even longer. But never has there been one in which the aim is to cover the 26 miles 385 yard distance of a marathon whilst playing darts. Well, April 23 through April 25 we will be attempting to put this right en route to raising £10,000 for Cancer Research, The Royal British Legion and a local dialysis unit in Reading.

There’s 1,661,220 inches in a marathon. Throw three darts, take them out of the board and walk back again and you’ve covered 186.5 inches. Now do that 8,908 times and you’ve covered a marathon. More than 20 people will take part playing in four hours shifts. We will throw nearly 29,000 darts and expect the challenge to last around 40 hours ending at noon on Sunday, April 25^th which, coincidentally is the day of the London Marathon. In keeping with the marathon theme and to attract media attention, all players will be dressed as marathon runners.

I think that this is an outstanding idea and did not only support it, I would like you to do the same! Go to http://www.justgiving.com/truedartsmarathon and support Richard. This is no joke, no spam – I know the guy and it is truly genuine!

Roger

I was reading a paper recently, where I initially thought it is a joke (it looked scientifically, therefore I was not too scared). But as our research department did it, it is serious and really, really good – at least it definitely made me think. It is called So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users – you should read it!

Basically it focuses on the cost/benefit of advice to end-user from an end-user perspective. there are a few quotes from the paper (to tease you):

• We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective.
• A study of pass-word habits in 2007 [26] found that users still choose the weakest they can get away with, much as they did three decades earlier [45].
• For example, it makes little sense to invest e ort in password strength requirements if phishing and keylogging are the main threats. It does not pay to learn URL reading rules to recognize phishing sites when the direct losses borne by users average less than a dollar a year. It's hard to blame users for not being interested in SSL and certificates when (as far as we can determine) 100% of all certificate errors seen by users are false positives.

If you think it through – they are right. Then, they draw a few conclusions:

• Users Understand Risks better than We do
• Worst Case Harm and Actual Harm are not the Same
• User Effort is not Free
• Designing Security Advice is not an Unconstrained Optimization
• The Economic Harm of Security Advice

and then, please, read their final chapter on What Can We Do? – otherwise you will stay frustrated :-)

Roger

I blogged on Day 1 and Day 2 but as I expected, I was unable to blog yesterday on the conference. However, let me just briefly give you my impression of the final day:

The core part of this last day was a whole block on Cloud Computing. There were different presentations on the subject and then a panel discussion, which I had the opportunity to be part of. There are a few key conclusions for the cloud from my point of view:

• Looking at the presentations (mainly done by “Cloud Specialists), there is a huge gap between the lawyers and the IT security people. The presenters – in my opinion – were unable to explain the cloud to a lawyer. The presentations (and some of the statements) were very good – if you have an IT background but with a legal background and not being too IT literate (as most of the judges and prosecutors are), I guess they still do not know more about the cloud than before – a missed opportunity.
• We have therefore to find a common language. We have to be able and willing to channel our excitement and explain it to non-IT people. I once had a manager who told me that I have to be able to explain something to a 6-year-old child. We have to bring the cloud to that level. A lot of people I talked to do not understand the difference between Windows, Internet Explorer and Facebook or Twitter. That’s one and the same. And to be clear – they are not dumb. I have the same problem when they try to explain me the details of the Cybercrime Convention and the application within European and local law.
• The industry performs poor (I am kind of stuck in the communication channel). We either oversimplify (oh, security is solved in the cloud as the pros take care of – the typical message of one of the biggest cloud provider) or we ad too much complexity – this has to change.
• The panel has been in agreement that international – even global rules are needed for the cloud and the corresponding rules and regulations. One of the panelists compared it with Maritime or Air Traffic legislation. This is regulated on a global basis. Something similar is needed.

Finally, the conference always concludes with key messages and summaries from the workshops. The strongest one – I had the feeling – was the once for ICANN (see highlighted below). That’s the excerpt from the final document:

In this connection, participants in the conference underline that:

• For security and the protection of rights to reinforce each other, measures against cybercrime must follow principles of human rights and the rule of law.
• Security and the protection of rights is the responsibility of both public authorities and private sector organisations.
• Broadest possible implementation of existing tools and instruments will have the most effective impact on cybercrime in the most efficient manner.

Following detailed discussions, participants recommend:

• Making decision makers aware of the risks of cybercrime and encouraging them to exercise their responsibility. Indicators of political commitment include steps towards the adoption of legislation and institution building, effective international cooperation and allocation of the necessary resources.
• Implementation of the Budapest Convention on Cybercrime worldwide to sustain legislative reforms already underway in a large number of countries. Countries should consider becoming parties to make use of the international cooperation provisions of this treaty. Consensus on this treaty as a common framework of reference helps mobilise resources and create partnerships among public and private sector organisations. In this connection, the ratification of the Budapest Convention by Azerbaijan, Montenegro and Portugal prior and during the conference, and the expression of interest to accede by Argentina and other countries serve as examples to other countries.
• Establishing the Budapest Convention as the global standard goes hand in hand with strengthening the Cybercrime Convention Committee (T-CY) as a forum for information sharing network, policy-making and standard-setting. It is encouraged to address issues not (exhaustively) regulated by the provisions of the Cybercrime Convention such as electronic evidence, jurisdiction and liability of ISP’s.
• Coherent and systematic training of law enforcement, prosecutors and judges based on good practices, concepts and materials already available.
• The establishment and strengthening of high-tech crime and cybercrime units, and incidents response and reporting teams and systems.
• The development of cooperation procedures between law enforcement agencies, CERTs/CSIRTs as well as internet service providers and the IT industry.
• Due diligence by ICANN, registrars and registries and accurate WHOIS information. Endorsement of the “Law Enforcement Recommended Amendments to ICANN’s Registrar Accreditation Agreement (RAA) and Due Diligence Recommendations” in line with data protection standards. ICANN is encouraged to implement these recommendations without delay.
• The many networks and initiatives against cybercrime that exist already create a dynamic and innovative environment involving a wide range of actors. Stronger networking among networks is encouraged to allow for synergies and reduce duplication. The mapping of networks exercise initiated by the Council of Europe should be continued.
• A contact list for enhanced cooperation between industry and law enforcement should be established. A proposal for a secure portal for interest parties is in preparation.
• Initiatives aimed at preventing, protecting and prosecuting the sexual exploitation and abuse of children are most valuable but require stronger support and consistency. The “Lanzarote” Convention of the Council of Europe (CETS 201) offers guidance in this respect and provides benchmarks to determine progress.
• Making use of the guidelines for law enforcement – ISP cooperation adopted at the Octopus Conference in 2008.
• Completion and broad dissemination of the results by the Council of Europe of the typology study on criminal money flows on the Internet that is currently underway.
• In order to meet the law enforcement and privacy challenges related to cloud computing existing instruments on international cooperation – such as the Data Protection Convention (CETS 108) and the Budapest Convention – need to be applied more widely and efficiently. Additional international standards on law enforcement access to data stored in the “clouds” may need to be considered. Globally trusted privacy and data protection standards and policies addressing those issues need to be put in place and the Council of Europe is encouraged to continue addressing these issues in its standardsetting activities as well as by the Global Project on Cybercrime.

The website of the event is here: Octopus Interface 2010 and these are the Key Messages.

It was – once more – a very good conference. That the collaboration became closer could be seen as well that there was no single session the private sector was excluded. Talking about the private sector. It is a real shame that quite some key players from the industry are still not very active to support such activities. Just joining the conference does not solve the problems.

Roger

And the second day starts. I just met with Jeremy Kirk from IDG and it is great to see that the press is actually interested in such a conference as well.

The day today started with a long session on different initiatives against cybercrime. A lot of good information:

• Interpol offers quite some good services to the police stations across the globe: A 24*7 center to bridge between the different police forces (sometimes just to overcome language barriers), a central database to share information on crimes, etc. Additionally they train police forces on cybercrime and investigation all across the globe for law enforcement officers.
• London Action Plan: The largest network of civil authorities but it is open to participation by the industry. Even though it is called “London Action Plan” it is a global public-private partnership, formed in 2004 and covers data protection agencies, consumer protection agencies, the private sector, etc. They want to strengthen the network, increase the knowledge and share best practices and emerging threads. Basically it is about how the different parties can use their tools and knowledge in a cooperative way to conduct investigations.
• GPEN (Global Prosecutor E-Crime Network): It is owned by the Association of International Prosecutors. Basically this is a big sharing initiative for prosecutors on cybercrime. One of the kea areas is about sharing trainings packs for capacity building. Additionally, they run and website with a forum where they share approaches to cases (no sensitive information) – a fairly interesting approach. Finally, they have material they share about how to present cases in front of court (like how a botnet works, what a Trojan horse does…) like videos, presentations etc.
• InHope: InHope is a network of hotlines against illegal content like child sexual abuse image (actually the core of their work), extreme violence, racism, etc. They want to work on standardization (or best practices) how such reports are handled to make law enforcement more effective. They are covering 31 countries today and are looking into growing into more developing countries.
• Global Network Initiative: An initiative to support to freedom of expression and privacy. The challenge they want to address is the conflict global companies face, were local legislation conflicts with human rights on the Internet. So, the GNI developed a set of principles to advance human rights on the Internet.
• Anti-Phishing Working Group: This is fairly obvious what they do. A few years back, they actually organized an event in Europe (I think it was in Berlin) on how to collaborate on phishing cases. One of the projects they are running at the moment is about sharing data with law enforcement. It is basically about automated processing of e-crime data and write “the story” for the prosecutor and judge. So, it is about harmonizing databases and file format. A good idea, I am just wondering whether the law enforcement agencies will pick it up and really share the data as they do not share the data today – because they are often not allowed to share… Where they definitely will be successful is, when it comes to data on phasing cases.
• Messaging Anti-Abuse Working Group (MAAWG): This working group actually roots back in the time when e-mail came up significantly and when e-mail started to get abused. so, the working group mainly consists of ISPs as well as some security vendors as well as companies, which rightfully use e-mail for marketing purposes. So, basically it is about collaborate to fight spam (which often is one of the root of cybercrime attacks) and they have a lot of good guidelines like the use of port 25 etc.

What I liked with this network sharing workshop is that I never heard from any of the networks “we are the ones” but much more: We want to collaborate and not duplicate efforts – a great position we need. If you want to get an overview of the different networks which exist, the Council of Europe has a good overview: Anti-cybercrime networks, organisations and initiatives

The afternoon was about effective measures against sexual exploitation and abuse of children on the internet. I was fairly new to this theme. So, there are a few key findings for me:

• Just access for children to law enforcement is a huge problem. But there are initiatives to address this – for children which are most exposed like children without parents as well.
• This is a very big social problem. It is not necessarily a legal challenge (which it is as well but there are guidelines for it) but – again – how can a victim really execute the rights?
• There is a lot of interesting (and shocking) information available on the website of EPCAT International: http://www.ecpat.net/EI/EI_publications.asp

So far it was – as always – a very interesting and valuable conference. I am not sure whether I can write about tomorrow as I will be in a panel on the Cloud in the morning and then on the road

Roger